I suggest you ...

Networking: Data Leak Prevention System (DLP)

A system that will identify, monitor, and protect data through deep content inspection. This will be a must have system to detect and prevent the unauthorized use and transmission of confidential information.

Add the ability to enable content filtering for outbound SMTP emails; emails would be blocked, or forced to be encrypted, depending on policies set by an administrator. The engine would look for patterns such as SSN, CC #, etc. (just about any pattern.. use of PCRE, etc. would work) and either force the email to be encrypted (if there was a S/MIME or PGP key available for the receipient) or returned (optionally with or without a notification being sent to a designated email address or group) to the sender. Email Data Leakage prevention is becoming more of a hotbutton issue lately...

It would be great if the IDS could search network packets for Non- Public Information, like credit cards, social security numbers and things of that nature. No institution allows that type of information to be passed on their network un-encrypted. Having the IDS be able to capture packets like this and block them can prove extremely useful.

In addition to generic blocking that others have mentioned, it would be worth putting in much of the same features as the endpoint protection client to catch violations from devices that don't have endpoint protection installed (mobile devices, for example).

This would also make the product more competitive. I could even see making a more comprehensive package available as an add-on.

Hello. as said, other competitors already implemented dlp. it would be nice if astaro did also. for example controlling file transfers for social networking site or applications like msn and skype.
Regards

Hi there - we have a client interested in limiting specific attachment types sent outbound (possibly also to specific hosts but I am praying not....) . Is there a development branch working on this at all or am I going to have to start thinking differently?
Cheers
Si

I want to be able to allow users to access 'online' content so they can download information that other third parties have shared, but prevent them from 'uploading' content to the same site. We are getting numerous requests from staff asking for access to sites like dropbox, etc and I want users to be able to download shared content but remove the ability for them to upload

you already can. Leave astaro in it's block by default configuration and only allow the sites folks are allowed to goto. Another way is to run your http proxy in AD authentication mode. Setup an http proxy profile for those folks who aren't allowed to upload and restrict them to only sites that provide no upload and have the other profile be less restrictive for others. since you can leverage AD you can make a profile for every OU if you wish.They won't be able to upload if you restrict them to sites that don't provide uploads. Otherwise the solution isn't an easy one.

I have searched all over the internet for this functionality and there are only a limited number of vendors that provide solutions, most are applications that must be installed on a users machine. For an enterprise solutions, it is much better to have this funcationality at the gateway.

I think 2 features are critical
1- to be able to block mails with attachments sent to generic email providers (gmail, hotmail, etc).
2- scan for regular expressions in email body and attachments.
I think that just having this two will be of enormous help. And also, I guess it should be relatively easy to implement.

isadalvi - DLP is not a product, its a teamed solution between file /print/ client/ server/ network and a few other access points which controls what data can go where. Their is no single product on the market (or will ever be) that is a DLP solution. Some products excell in identifying data, some excell in how they control that content... I beleive the best way for Astaro to jump into the market is to integrate with a few of those solutions with a lower price point. Just to give an example, the Orchestria product has ICAP and a SOCKET API which Astaro can comunicate with to utilize their engine rather than making their own. Once they have the integration established, they now have a strong in to the top 10 financial companies in the US, as well as several of the top manufacturing and insurance companies.

While DLP is an excelent market to get into, their are several products that this one could interface with which would add the DLP option. between McAfee, RSA, CA DLP... all of them have ICAP integration. just adding that one option would add in the DLP market. and given my dealings with companies like symantec that already have a linux DLP appliance, you could crush them in the market by knocking there 3 hardware solutions to a single astaro VM.

I agree with all of you. There is no single DLP framework or a standard today. But, since ASG does multi-fold inspection of various traffics already, having a DLP feature to enforce corporate policy is a must have. I also agree that it should sit it its own box, but, technically, DLP should be a joint effort of all data escape channels; which makes it a gateway feature on a firewall like Astaro. Having some control is better than having nothing at all. I am confident that it will make ASG a preventive, deterrent and detective control from a Data Leakage perspective.